Re: Multiple rules for dynamic-looking IP addresses

On 2007-08-29 23:16, Dan Fulbright wrote:
> I'm having problems with high scores from messages sent from IP
> addresses that appear to be dynamic, but in fact are static. Here's an
> example:
>
> * 4.2 HELO_DYNAMIC_SPLIT_IP Relay HELO'd using suspicious
> hostname (Split
> * IP)
> * 4.4 HELO_DYNAMIC_IPADDR2 Relay HELO'd using suspicious
> hostname (IP addr
> * 2)
> * 1.6 TVD_RCVD_IP TVD_RCVD_IP
> * 2.1 RCVD_NUMERIC_HELO Received: contains an IP address used
> for HELO
>
> Here are the Received lines, with specific information cleaned:
>
> Received: from 1.2.3.4.static.vsnl.net.in [1.2.3.4] by mail5.example2.com with SMTP;
> Sat, 25 Aug 2007 04:11:59 -0500
> Received: from gbd07 ([192.168.96.107]) by mail.example1.com with Microsoft SMTPSVC(6.0.3790.1830);
> Sat, 25 Aug 2007 14:48:07 +0530
>
> I realize that 1.2.3.4 should have a better reverse DNS, but it seems
> that it causes the SA score to be artificially high. I know I could
> disable some of these tests, but I feel like that would artificially
> lower scores.
>
> How can I adjust the scores or write/fix rules so that static IP
> addresses are recognized as such?
>
> I am an admin for example2.com.

Thank you for the replies, however, I think I'll restate my own question. Why are there so many rules that seem to check for the same thing? I'm seeing this more and more often. xo.net seems to be a common domain that uses hostnames like this to send mail. I feel like the right thing to do would be to tell the sender to get a better reverse DNS, but that just isn't feasible.

Received: from 1.2.3.4.ptr.us.xo.net [1.2.3.4] by mail4.example2.com with SMTP;

   Tue, 4 Sep 2007 12:10:07 -0500

Is anyone familiar with xo.net? If so, do you know why I am seeing so many messages from hostnames that look like this? Are these dynamic or static IP addresses?

Thanks.

--df Received on Tue Sep 4 17:27:01 2007